I have found an XSS Vulnerability in Paypal. It is located on their main site (https://www.paypal.com/). Unfortunately my report was Duplicate, another researcher already found the bug. Anyway, here is the POC:
June 1 ------ Bug found
June 3 ------ Confirmed the vulnerability, gave me a case number.
De La Salle University is one of the Philippines' most prestigious universities and is included in the "Top 4 universities and colleges in the Philippines". However, their site has an SQL injection vulnerability. I have reported it to them the past 2 years (since I was 3rd year High School) but got no reply. There are many vulnerable parameters. Among them is this: http://www.dlsu.edu.ph/faculty/fis/alpha_list.asp?letter=B%27 Notice the string (%27) which will say whether it can be injected or not. POC:
While randomly searching for websites to "pwn", I came across the website of the Official Gazette of the Republic of the Philippines (http://gov.ph) I just typed a payload in the search bar then voila! XSS vulnerable. I contacted them via Twitter and the XSS was fixed after a day. (they are serious on web vulnerabilities now, unlike before).
The vulnerable part was in their search bar.... Just type the payload you want. In my case I used the most common payload which is "><img src=x onerror=alert(document.domain)>..
Vulnerability has been fixed, check it out yourself :)
So this bug is about an XSS vulnerability I found in Edmodo. The bug is now fixed. They have responded for 3 days (pretty fast) and also fixed the vulnerability on the last day.
Steps to reproduce:
1. To reproduce the issue. You must have, of course, an Edmodo account. 2. Go to the upper left panel and you will see 3 symbols, click the left one which is the "Backpack". 3. Now after that, go to "Folders".. on the left pane. 4. Click new folder. And enter the payload.. Now here is the trick: *Ordinary payloads like: "><img src=x onerror=alert(1)> will be filtered... to bypass... I used this instead: <img src=x onerror=alert(5)>
5. Now click "Create"...
6. XSS Pop-up.
As a reward, they will give me goodies :) like Edmodo mugs, T-shirt etc....
August 17 ---- Reported and Triaged
August 18 ---- Vulnerability confirmed. Asked for my mailing address for reward delivery